This is an automated email from the ASF dual-hosted git repository. potiuk pushed a commit to branch install-rustup-cargo-in-images in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 11fabb925c2149c202e814965459e1402025208d Author: Jarek Potiuk <[email protected]> AuthorDate: Sat Apr 4 13:43:06 2026 +0200 Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh Download the rustup-init binary directly and verify its SHA256 checksum before execution, instead of piping the shell installer script through sh. --- Dockerfile | 20 ++++++++++++++++++-- Dockerfile.ci | 20 ++++++++++++++++++-- scripts/docker/install_os_dependencies.sh | 20 ++++++++++++++++++-- 3 files changed, 54 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index b88b4a86f89..67cb0585a69 100644 --- a/Dockerfile +++ b/Dockerfile @@ -495,8 +495,24 @@ function install_golang() { } function install_rustup() { - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \ - sh -s -- -y --default-toolchain "${RUSTUP_DEFAULT_TOOLCHAIN}" + local arch + arch="$(dpkg --print-architecture)" + declare -A rustup_targets=( + [amd64]="x86_64-unknown-linux-gnu" + [arm64]="aarch64-unknown-linux-gnu" + ) + local target="${rustup_targets[${arch}]}" + if [[ -z "${target}" ]]; then + echo "Unsupported architecture for rustup: ${arch}" + exit 1 + fi + local base_url="https://static.rust-lang.org/rustup/dist/${target}"; + curl --proto '=https' --tlsv1.2 -sSf "${base_url}/rustup-init" -o /tmp/rustup-init + curl --proto '=https' --tlsv1.2 -sSf "${base_url}/rustup-init.sha256" -o /tmp/rustup-init.sha256 + cd /tmp && sha256sum --check rustup-init.sha256 + chmod +x /tmp/rustup-init + /tmp/rustup-init -y --default-toolchain "${RUSTUP_DEFAULT_TOOLCHAIN}" + rm -f /tmp/rustup-init /tmp/rustup-init.sha256 } function apt_clean() { diff --git a/Dockerfile.ci b/Dockerfile.ci index aa4d5d03c7a..e330d88d9b7 100644 --- a/Dockerfile.ci +++ b/Dockerfile.ci @@ -435,8 +435,24 @@ function install_golang() { } function install_rustup() { - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \ - sh -s -- -y --default-toolchain "${RUSTUP_DEFAULT_TOOLCHAIN}" + local arch + arch="$(dpkg --print-architecture)" + declare -A rustup_targets=( + [amd64]="x86_64-unknown-linux-gnu" + [arm64]="aarch64-unknown-linux-gnu" + ) + local target="${rustup_targets[${arch}]}" + if [[ -z "${target}" ]]; then + echo "Unsupported architecture for rustup: ${arch}" + exit 1 + fi + local base_url="https://static.rust-lang.org/rustup/dist/${target}"; + curl --proto '=https' --tlsv1.2 -sSf "${base_url}/rustup-init" -o /tmp/rustup-init + curl --proto '=https' --tlsv1.2 -sSf "${base_url}/rustup-init.sha256" -o /tmp/rustup-init.sha256 + cd /tmp && sha256sum --check rustup-init.sha256 + chmod +x /tmp/rustup-init + /tmp/rustup-init -y --default-toolchain "${RUSTUP_DEFAULT_TOOLCHAIN}" + rm -f /tmp/rustup-init /tmp/rustup-init.sha256 } function apt_clean() { diff --git a/scripts/docker/install_os_dependencies.sh b/scripts/docker/install_os_dependencies.sh index a93adef0695..f5c049144a9 100644 --- a/scripts/docker/install_os_dependencies.sh +++ b/scripts/docker/install_os_dependencies.sh @@ -401,8 +401,24 @@ function install_golang() { } function install_rustup() { - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \ - sh -s -- -y --default-toolchain "${RUSTUP_DEFAULT_TOOLCHAIN}" + local arch + arch="$(dpkg --print-architecture)" + declare -A rustup_targets=( + [amd64]="x86_64-unknown-linux-gnu" + [arm64]="aarch64-unknown-linux-gnu" + ) + local target="${rustup_targets[${arch}]}" + if [[ -z "${target}" ]]; then + echo "Unsupported architecture for rustup: ${arch}" + exit 1 + fi + local base_url="https://static.rust-lang.org/rustup/dist/${target}"; + curl --proto '=https' --tlsv1.2 -sSf "${base_url}/rustup-init" -o /tmp/rustup-init + curl --proto '=https' --tlsv1.2 -sSf "${base_url}/rustup-init.sha256" -o /tmp/rustup-init.sha256 + cd /tmp && sha256sum --check rustup-init.sha256 + chmod +x /tmp/rustup-init + /tmp/rustup-init -y --default-toolchain "${RUSTUP_DEFAULT_TOOLCHAIN}" + rm -f /tmp/rustup-init /tmp/rustup-init.sha256 } function apt_clean() {
